import Doc from '~/components/layout/docs'
import Note from '~/components/text/note'
import Link from '~/components/text/link'
import { P } from '~/components/text'
import Caption from '~/components/text/caption'
import { InlineCode } from '~/components/text/code'

export const meta = {
  title: 'Encryption',
  description: 'Every ZEIT Now deployment is served of a HTTPS Connection.',
  editUrl: 'pages/docs/v2/network/encryption.mdx',
  lastEdited: '2019-11-05T20:55:16.000Z'
}

Out of the box, every **Deployment** on ZEIT Now is served over an HTTPS connection. The [SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security) certificates for these unique URLs are automatically generated free of charge.

Furthermore, any HTTP requests to your **Deployments** are automatically forwarded to HTTPS using the `308` status code:

```
HTTP/1.1 308 Moved Permanently
Content-Type: text/plain
Location: https://<your-deployment-host>
```

<Caption>
  An example showing how all <InlineCode>HTTP</InlineCode> requests are
  forwarded to <InlineCode>HTTPS</InlineCode>.
</Caption>

It is not possible to disable this redirection or prevent the **Deployment** from being served over HTTPS as it is considered an industry standard to serve web content over a secure connection.

<Note>
  {' '}
  If the client that is issuing requests to your <b>Deployment</b> wants to establish
  a WebSocket connection, please ensure it is connecting using HTTPS directly, as
  the WSS protocol does not support redirections.
</Note>

## Supported TLS Versions

ZEIT Now supports TLS version [1.2](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.2) and TLS version [1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3).

## Supported Ciphers

In order to ensure the integrity of the data received and sent by any **Deployment** running on the **ZEIT Now** platform, we only support strong ciphers with [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy).

The following cipher algorithms are supported:

- TLS_AES_128_GCM_SHA256 (TLS 1.3)
- TLS_AES_256_GCM_SHA384 (TLS 1.3)
- TLS_CHACHA20_POLY1305_SHA256 (TLS 1.3)
- ECDHE-ECDSA-AES128-GCM-SHA256 (TLS 1.2)
- ECDHE-RSA-AES128-GCM-SHA256 (TLS 1.2)
- ECDHE-ECDSA-AES256-GCM-SHA384 (TLS 1.2)
- ECDHE-RSA-AES256-GCM-SHA384 (TLS 1.2)
- ECDHE-ECDSA-CHACHA20-POLY1305 (TLS 1.2)
- ECDHE-RSA-CHACHA20-POLY1305 (TLS 1.2)
- DHE-RSA-AES128-GCM-SHA256 (TLS 1.2)
- DHE-RSA-AES256-GCM-SHA384 (TLS 1.2)

This is the [recommended configuration from Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29).

## Support for HSTS

The `.now.sh` domain (and therefore all of its sub domains, which are the unique URLs set when creating a deployment) support HSTS automatically and are preloaded.

```
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload;
```

<Caption>
  The default <InlineCode>Strict-Transport-Security</InlineCode> header for
  *.now.sh
</Caption>

Custom domains use HSTS, but only for the particular subdomain.

```
Strict-Transport-Security: max-age=63072000;
```

<Caption>
  The default <InlineCode>Strict-Transport-Security</InlineCode> header for
  custom domains
</Caption>

You can modify this by setting the `Strict-Transport-Security` ([more details](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)) header in your deployment.

Theoretically, you could set the `max-age` parameter to a different value (it indicates how long the client should remember that your site is only accessible over HTTPS), but since we do not allow connections made over HTTP, there is no point in setting it to a shorter value, as the client can just remember it forever.

<Note>
  {' '}
  You can test whether your site qualifies for HSTS Preloading <Link href="https://hstspreload.org/">
    here
  </Link>. It also allows submitting the domain to Google Chrome's hardcoded HSTS
  list. Making it onto that list means your site will become even faster, as it is
  always accessed over HTTPS right away, instead of the browser following the redirection
  issued by our <b>Network</b> layer.
</Note>

## How Certificates Are Handled

The unique URLs generated when creating a deployment are handled using a wildcard certificate issued for the `.now.sh` domain. The **ZEIT Now** platform generates wildcard certificates using [LetsEncrypt](https://letsencrypt.org/) and keeps them updated automatically.

When custom certificates are generated using `now certs issue`, however, their keys are placed in our database and [encrypted at rest](https://en.wikipedia.org/wiki/Data_at_rest#Encryption) within the Network layer.

Then, once a hostname is requested, the certificate and key are read from the database and used for establishing the secure connection. In addition, both are cached in memory for optimal SSL termination performance.

## Full Specification

Any features of the encryption mechanism that were left uncovered are documented [here](https://www.ssllabs.com/ssltest/analyze.html?d=zeit.co). You only need to make sure to select any IP address of your choice (it does not matter which one you pick – the results are the same for all).

export default ({ children }) => <Doc meta={meta}>{children}</Doc>

export const config = {
  amp: 'hybrid'
}
